sync

Synchronization commands for NDCLI. These commands help you monitor and trigger configuration synchronization to devices.

Overview

Configuration sync ensures that devices receive and apply the latest configuration from their assigned templates. Sync status shows whether devices are up-to-date with their expected configuration.

Commands

Command	Description
`sync status`	Show sync status for devices
`sync apply`	Trigger sync for devices

sync status

Show synchronization status for devices.

ndcli sync status [flags]

Flags

Flag	Type	Default	Description
`--device`	string		Filter by device name (regex pattern)
`--ou`	string		Filter by organizational unit (regex pattern)
`--template`	string		Filter by template name (regex pattern) — devices whose effective OU→Template chain matches
`--org`	string	current org	Filter by organization (regex pattern)
`--drift-status`	string		Filter by drift status: `IN_SYNC`, `DRIFT`, `NEVER_SYNCED`, `UNKNOWN`, `ERROR`

Output

Shows for each device:

Device name
Organizational unit
Sync status (synced/pending/error)
Drift status
Last sync timestamp
Configuration version

Sync States

State	Description
Synced	Device has the latest configuration
Pending	Device needs to sync new configuration
Error	Last sync attempt failed
Never	Device has never synced

Examples

ndcli sync status

ndcli sync status --device fw-prod-01

ndcli sync status --ou production

ndcli sync status --device "fw-.*-01"

ndcli sync status --drift-status DRIFT

ndcli sync status --drift-status DRIFT --ou production

sync apply

Trigger configuration sync for one or more devices.

ndcli sync apply [flags]

Flags

Flag	Type	Default	Description
`--device`	string		Sync devices matching pattern (regex)
`--ou`	string		Sync all devices in OUs matching pattern (regex)
`--template`	string		Sync devices whose effective OU→Template chain matches the template name (regex)
`--org`	string	current org	Filter by organization (regex pattern)
`--drift-status`	string		Only sync devices with the given drift status: `IN_SYNC`, `DRIFT`, `NEVER_SYNCED`, `UNKNOWN`, `ERROR`
`--force`	bool	`false`	Force sync even if already synced
`--yes`	`-y`	`false`	Skip confirmation prompt

Examples

ndcli sync apply --device fw-prod-01

ndcli sync apply --ou production

ndcli sync apply --ou "prod.*"

ndcli sync apply --device "fw-datacenter-.*"

ndcli sync apply --template edge-firewall-v2

ndcli sync apply --template "^edge-.*" --yes

ndcli sync apply --device fw-prod-01 --force

ndcli sync apply --ou staging --yes

ndcli sync apply --drift-status DRIFT

ndcli sync apply --drift-status DRIFT --yes

Confirmation

By default, sync apply asks for confirmation before triggering syncs. Use --yes or -y to skip:

ndcli sync apply --ou production -y

Force Sync

Normally, devices that are already synced are skipped. Use --force to re-sync all matched devices:

ndcli sync apply --ou production --force

Combining Filters

You can combine --device, --ou, and --template to narrow the scope (filters compose via AND):

ndcli sync apply --ou production --device "fw-web-.*"

ndcli sync apply --template edge-firewall-v2 --ou "prod.*"

Template-scoped sync

Templates can be attached to multiple OUs. --template selects every device whose effective Device → OU → Template chain includes a template matching the regex, so you can sync “everything affected by template X” without enumerating its OUs:

ndcli sync status --template '^edge-firewall-.*'

ndcli sync apply --template edge-firewall-v2 -y

Typical Workflow

ndcli sync status --ou production

ndcli sync apply --ou production

ndcli sync status --ou production

ndcli task list --type SYNC --created-after 5m